Delegation Chain

A delegation chain is the path of authority through an agentic AI system. It starts with the principal — typically the human user or the system that authorised the agent's session — and follows the authorisation as it flows through the orchestrator, any sub-agents, and the tools each agent can invoke. Every link in the chain is a security boundary.

In a simple chain, a user authorises an agent, the agent calls a tool, and the tool acts on the user's behalf. In a complex chain, the user authorises an orchestrator, which authorises a sub-agent, which authorises a tool wrapper, which calls an underlying API on behalf of the system or the user. Each link can carry its own scope, its own expiry, and its own audit trail.

Delegation chain analysis examines: who authorised what at each step; whether each sub-agent's scope is bounded by the orchestrator's scope (it should be); whether tools inherit the user's identity, the orchestrator's identity, or have their own service identity (it depends — but the answer should be documented); and whether confused-deputy attacks (an agent using its broader permissions to retrieve data the user is not authorised to see) are possible.

Required controls for delegation chains: scoped tokens at each delegation step; explicit identity carried through (not implicit principal substitution); audit logs capturing the chain — not just the leaf action; and bounded delegation depth (an agent's permissions cannot exceed the orchestrator's).

Delegation chains are a primary attack surface for agentic AI. The OWASP Agentic Top 10 calls out A4 Privilege Escalation specifically for this surface. A security review that does not explicitly walk through the delegation chain is missing a primary risk category.